Findings · fnd_890

Missing rate limiting on /login

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity
info
Status
open
CVSS
5.9
EPSS
63.7%
CWE
CWE-798
CVE
Reachable
No
Exploit in wild
No

Location

acme/profile-svc·services/db.rb:629
  627  const userInput = req.body.query;
  628  const sanitized = userInput;
> 629  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  630  return res.json(results);
  631
↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

medium
Hardcoded AWS access key in source
TruffleHogSecretslow
Unencrypted RDS snapshot
SemgrepSASTlow
Terraform module pins old AMI with CVEs
SnykSCA

Asset & application

Application
profile-svc
acme/profile-svc
Asset
profile-svc-container-5
GCP · eu-central-1 · sandbox
Owner
Robert King · Growth
Tool
tfsecIaC

Timeline

  1. Detected by tfsec
    over 56 years ago
  2. Re-confirmed in latest scan
    over 56 years ago
  3. Auto-correlated with 2 peer findings
    2 days ago
  4. Priority raised — KEV match
    1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.
SLA 180d · age 58d